Review identity protection basics
Identity Protection is a service that enables organizations to view the security posture of any account. Organizations can accomplish three key tasks:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
Always remember that Microsoft Entra Identity Protection requires a Microsoft Entra ID Premium P2 license to operate. Licensing is covered in more detail in a later unit.
Identity Protection uses the knowledge Microsoft has gained from its position in organizations with Microsoft Entra ID, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyzes 6.5 trillion signals per day to identify and protect customers from threats.
The signals generated by and fed to Identity Protection can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation based on your organization's enforced policies.
Risk detection and remediation
Identity Protection identifies risks in the following classifications:
| Risk detection type | Description |
|---|---|
| Anonymous IP address | Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs). |
| Atypical travel | Sign in from an atypical location based on the user's recent sign ins. |
| Malware-linked IP address | Sign in from a malware-linked IP address. |
| Unfamiliar sign in properties | Sign in with properties we've not seen recently for the given user. |
| Leaked credentials | Indicates that the user's valid credentials have been leaked. |
| Password spray | Indicates that multiple usernames are being attacked using common passwords in a unified brute-force manner. |
| Microsoft Entra threat intelligence | Microsoft's internal and external threat intelligence sources have identified a known attack pattern. |
| New country | This detection is discovered by Microsoft Defender for Cloud Apps (MDCA). |
| Activity from anonymous IP address | This detection is discovered by MDCA. |
| Suspicious inbox forwarding | This detection is discovered by MDCA. |
Permissions
Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access.
| Role | Can do | Can't do |
|---|---|---|
| Global Administrator | Full access to Identity Protection | |
| Security Administrator | Full access to Identity Protection | Reset password for a user |
| Security Operator | View all Identity Protection reports and Overview screen, Dismiss user risk, confirm safe sign-in, confirm compromise | Configure or change policies, Reset password for a user, Configure alerts |
| Security Reader | View all Identity Protection reports and Overview screen | Configure or change policies, Reset password for a user, Configure alerts, Give feedback on detections |
Currently, the Security Operator role cannot access the Risky sign ins report. Conditional Access Administrators can also create policies that factor in sign-in risk as a condition.
License requirements
Using this feature requires a Microsoft Entra ID Premium P2 license.
| Capability | Details | Microsoft Entra ID Free / Microsoft 365 Apps | Microsoft Entra ID Premium P1 | Microsoft Entra ID Premium P2 |
|---|---|---|---|---|
| Risk policies | User risk policy (via Identity Protection) | No | No | Yes |
| Risk policies | Sign-in risk policy (via Identity Protection or Conditional Access) | No | No | Yes |
| Security reports | Overview | No | No | Yes |
| Security reports | Risky users | Limited information. Only users with medium and high risk are shown. No details drawer or risk history. | Limited information. Only users with medium and high risk are shown. No details drawer or risk history. | Full access |
| Security reports | Risky sign ins | Limited information. No risk detail or risk level is shown. | Limited information. No risk detail or risk level is shown. | Full access |
| Security reports | Risk detections | No | Limited information. No details drawer. | Full access |
| Notifications | Users at risk detected alerts | No | No | Yes |
| Notifications | Weekly digest | No | No | Yes |
| MFA registration policy | No | No | Yes |